We’re guessing you’ve no doubt heard of GDPR by now, and hopefully you’re already on the road to understanding what this means for you and the compliance for your business. If not, then don’t worry; there’s still time to prepare but beware… time is running out.
We’re currently in the process of making our clients aware of the law and the changes required to their marketing tools and websites. To help everyone with the journey towards compliance, we thought we’d outline some of the key parts of the law and some steps to help achieve compliance.
What is GDPR?
A quick overview
GDPR stands for General Data Protection Regulation. It’s a new directive created by the European Commission and is the biggest shake up in data protection laws in decades. It builds on the current Data Protection Act principles and aims to standardise data protection laws for all individuals within the European Union.
What does GDPR affect?
The new regulations will change the way your business collects, processes and stores data. This specifically relates to personal data which, as Recital 26 of the regulation explains, covers any data which can be used to single out an individual or otherwise identify them. This could even include information such as as location data, IP addresses, and even unique identifiers used for storage or tracking purposes.
The law enforces new conditions on how long data can be stored for as well as various rights for users to request a copy, changes, or deletion of information you hold on them. Age restrictions will also be imposed, meaning children of a certain age will not be able to consent for their information to be processed or stored.
Who does GDPR affect?
All businesses operating within the EU, as well as businesses around the world who have customers in the EU will have to comply with GDPR. And before you ask, even with Brexit the impending GDPR will still be enforced into UK law before and after Brexit. While there has been much speculation since GDPR was announced in how the laws would be interpreted and enforced in the UK, this is becoming a lot clearer now.
What’s the damage?
With penalties of up to €20 million or 4% or annual global turnover – whichever is higher, plus the threat of prosecutions in extreme cases, GDPR comes with heavy penalties if not complied with or you experience a breach of data. More so, as we’ve seen recently with lost laptops or USB sticks being common, data breaches can have a negative impact on customer confidence, as well as your brand’s reputation.
When does GDPR come into force?
You should certainly ensure your business is compliant as soon as the new law comes into force across the EU on May 25th 2018. There is also an update to the ePrivacy directive (PECR) which is due to be updated inline with GDPR too.
How to prepare for GDPR
We’ve put together some key points to get you started. While we hope you find these helpful, this isn’t a definitive guide and we are not legal experts. So we’d recommend you have your own legal support at hand to guide you through GDPR compliance in your business. Your steps to compliance will also differ depending on the size, type and structure of your business as well as if you’re classed as data processors, data controllers or both.
Step 1: Assign a Data Protection Officer
You should already have a data protection officer (DPO), or someone who is responsible for data protection (depending on the size of your business this could be a full time role). If not, you should assign the responsibility to ensure your business is GDPR ready, and going forward this person should continue to be responsible by monitoring and reviewing data and data processes in your business. You should also use the self-assessment tool to check if you’re classed as a data controller and if you’re required to register with the ICO.
Step 2: Review your Data, Processes and Procedures
Next, you should perform an audit on the data you hold and the processes which sit around it. Consider how its captured, where the data is originated, how it’s processed, where it’s stored, and document anyone who you may be sharing it with. This is an important step to get right as it will influence future steps and policies and procedures you’ll put in place. This shouldn’t be done just as a one off either; GDPR also requires you to maintain records of your processing activities, so this should be an ongoing task to review on a regular basis. Once you have your processes mapped out, you should then consider the following:
Consent Process
In order to be compliant you must ensure that consent for processing and storing personal data is “freely given” with consent that is in “clear and plain language” – so no jargon here. More importantly there needs to be an affirmative user action to opt in and provide consent. Therefore implied consent, soft opt-in approaches, or pre-ticked checkboxes accepting policies will no longer be allowed either. You must also have provided a ‘lawful basis’ before you start to process any personal data.
Any Individual who provides you their personal data are automatically associated a number of rights under GDPR. This includes the right to gain a copy of data you hold, the right for their data to be deleted, edited, or request restrictions in its processing, and even the right to withdraw consent at any time. It’s vital that you make the user aware of their rights at this consent stage as well as having the right procedures in place to handle these requests.
Finally, what about existing data? If you sourced this data in a legal way and provided some form of opt-in process or option, you shouldn’t need to re-target those users to prompt them to re-consent, however if you are in doubt it is good practice to do so.
Storage & Sharing Process
After this consider where the data is stored, and how long it should be stored for. GDPR states that personal information should only be stored for as long as it is deemed necessary. You should also disclose to the individual upon gaining consent, how long you’ll be storing their data for. If you are sharing the data with a third party organisation or tool, you should also ensure they are GDPR compliant too.
Subject Access Request Procedure
If an individual does submit a subject access request, you can no longer charge for this (as current Data Protection laws allow). Instead a copy of their data must be provided in a structured, commonly used and machine readable format, at no cost to the subject. All requests should be handled within one month, which includes other requests such as rectification or deletion of data,
Data Breach Response Procedure
Whilst we hope it never comes to it, if you do identify a data breach of any kind GDPR UK law requires you notify the ICO within 72 hours of a data breach. Yes, 72 hours (take note Uber). So if you do discover a data breach, you should identify the cause of the breach, the risk its causes, and without undue delay notify those individuals affected as well as notifying the ICO immediately.
Step 3: Review your Tools and Website
You no doubt have a CRM, and use third party tools or service provider for marketing or advertising, along with your website which is probably using some kind of CMS. All of these tools will be capturing, processing and storing information of some kind, which should have been highlighted in your review process. Most of the major third party tools should already be compliant (or at least be advertising the fact they are on their way to being so), and remember that their location doesn’t matter. The fact you’re operating in the EU and using their tools means both parties need to be complaint. If you’re unsure then ask your third party themselves for further information or clarity.
How and where you capture data and send it to these tools will be mainly your responsibility. You’ll need to review your website, including any web forms and legal notices (including privacy policy and terms) are updated as necessary.
Finally whilst we’re talking websites, let’s talk about those non-edible virtual cookies. You may remember back in 2012 new ePrivacy regulations implemented in the EU meant websites using cookies were forced to ask for permission before setting them. Since then the web has been a wash with popup messages. The rules were soon relaxed by the ICO in the UK, and implied consent was deemed legal.
GDPR doesn’t directly specify cookie consent, but as cookies can be used to store personal data, the principles of GDPR will certainly relate to cookies too. However, unfortunately there is some confusion around this and the effect on cookies remains a grey area and is still being debated. Updates to the ePrivacy directive are imminant and should help to clear this up, however these updates are still in draft stages and expected to be published soon.
From what we understand at present though, whilst consent will not be required for any cookies that are used for non-sensitive personal data, you will need to gain consent before setting any cookies (via clear affirmative user action) which contain personal information or data that could be used to identify an individual. This includes third party cookies too including analytics and tracking cookies. Its highly likely that implied consent will no longer be compliant under GDPR, and you’ll also be required to provide an easy way for a visitor to change or withdraw consent (to comply with GDPR). So unfortunately, it looks like cookie banners and notices may be set to stay however, we are hopeful that common sense will prevail and instead allow websites to rely upon the users browser settings and preferences for cookie usage. We’ll update you on this once we know more.
Step 4: Build Awareness, Monitor and Respond
It is vital that you ensure all staff within the business are both aware and educated on GDPR, and understand the new processes and procedures which are put into place. To help with this we’ve included some useful resources below. Your new processes should help staff, empowering them to ensure privacy is at the heart of the business by monitoring, responding, and reviewing your processes and procedures regularly.
Useful GDPR Resources
We’ve gathered some other resources which provide further information and checklists to help get you compliant.
IT Governance – GDPR Overview
SendGrid – GDPR – What Senders Need To Know
ICO – Getting Ready for GDPR
ICO – Data Protection Self Assessment (including some useful checklists)
ICO – Awareness resources for organisations
If you’re one of our clients, we’ll soon be in touch to make you aware of GDPR and the changes required on your website. If you’re still unsure on GDPR or want to get a head start, drop us an email or give us a call and we’ll get back in touch.